1 Network Security: Network Review and Firewalls Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 � 1999-2000, Henning Schulzrinne c Last modified September 21, 2000 Slide 1 Secure Communications � Alice can send message to Bob; only Bob can read � Bob knows for sure that Alice sent it � Alice can’t deny she sent the message � but the basic communication is insecure: – wiretapping – switches and routers – redirection – storage – ... � $ storage security Slide 2
2 Security is analog, not binary. . . � there is no perfect security � cost of inconvenience vs. cost of breach � how long does it have to stay secret? � how sophisticated is the adversary? � value of information + value of service (DOS) � physical security + cryptographic � difference: attack from anywhere, automated (“script kiddies”) � most problems are not crypto problems � wire/fiber-tapping is hard Slide 3 Terminology bad guy: avoid ‘hacker’; Trudy = intruder, impostor secret key: = symmetric = receiver and transmitter share secret key, nobody else public key: = asymmetric = two keys, one public, one private (secret) � confidentiality $ privacy: protect communications from all but intended recipients privacy laws Slide 4
3 Dramatis Personae usually computers: Alice: first participant Bob, Carol, Dave: second, third, fourth participant Eve: evesdropper Mallory, Trudy: malicious active attacker Trent: trusted arbitrator Walter: warden; guarding Alice and Bob in some protocols Peggy: prover Victor: verifier Slide 5 Kaufman Notation � ex-or, exclusive or j j ”secret” = ”joesecret” concatenation (e.g., ”joe” f message g K encrypted with key K f message g Bob encrypted with public key of Bob [ message ℄ Bob signed by Bob = using his private key Slide 6
4 Network Primer layer name who e.g., PDU 7 application E-E SMTP message 6 presentation E-E MIME 5 session E-E ? 4 transport E-E TCP packet 3 network router IP packet 2 data link bridge, switch Ethernet frame 1 physical repeater Ethernet over coax bit stream Slide 7 Network Services (Almost) any layer: error checking: checksum, drop bad packets reliability: retransmission (ARQ, ”ack”) or forward error correction (redundancy) ordering: ensure delivery order ! one lower-layer entity (e.g.,: telephony) multiplexing: several upper-layer entities inverse multiplexing: spread single message over several channels flow control: avoid overrunning slow receiver congestion control: avoid overrunning slow network encryption, authentication: obviously... Slide 8
5 Directory Services � need (network-layer) address to communicate � more memorable, different assignment: – unique identifier – locator – name (administrative, “John Smith”, www.) � directory service: translation between addresses � scalability ➠ tree, hiearchy � e.g.,: clinton@whitehouse.gov � needed for security: public key � needs to be secured Slide 9 Network Security Layers Physical layer: blackening Data link layer: wireless Ethernet encryption (802.11 WEP at 11 Mb/s), PPP authentication Network layer: IPsec Transport layer: secure socket layer (TLS, “https:”) Application: email (PGP, S/MIME), x -over-TLS, HTTP authentication, SHTTP, Kerberos infrastructure: DNS, routing, resource reservations, ... Slide 10
6 Security Approaches � Application security � OS security � Network infrastructure security � Procedural and operational security Slide 11 Application Security � application software security (e.g., buffer overruns) � path encryption via secure application protocols (ssh) � isolating critical applications on single-purpose hosts Slide 12
7 Host/OS Security � OS software integrity (most attacks on non-patched OS) � user-level access control (AAA, tokens) � block unneeded services (finger, ftp, DNS) � path encryption via IPsec � device-level access control (MAC, IP, DNS) in servers, routers, Ethernet switches � e.g., host firewalling (such as TCP wrappers, IP chains) Slide 13 Network Infrastructure Security � service-blocking perimeter (port) � device-ID perimeter (IP address) � path encryption perimeter � path isolation via routers and switches � path isolation via separate infrastructure (“air gap”) Slide 14
8 Procedural and Operational Security � policies and education on safe computing practices � desktop configuration management � proactive probing for vulnerabilities � intrusion detection Slide 15 Top-level Domains 2 letters: countries 3 letters: independent of geography (except edu, gov, mil) domain usage example domains (8/00) com business (global) research.att.com 17,050,817 edu U.S. 4 yr colleges cs.columbia.edu 5,673 gov U.S. non-military gov’t whitehouse.gov 730 mil U.S. military arpa.mil org non-profit orgs (global) www.ietf.org 248,489 net network provider nis.nsf.net 2,806,721 us U.S. geographical ietf.cnri.reston.va.us uk United Kingdom cs.ucl.ac.uk 194,686 de Germany fokus.gmd.de 262,708 Slide 16
9 Replicated Services � load sharing � availability � same information? � replay: change password to different server Slide 17 Packet Switching � circuit switching: fixed-rate, reserved bit stream between parties for duration of communications (“wire”) � packet switching: chop application messages into packets ( < few kB, with upper bound): – interleaving from different sources – error recovery on single unit – flexible bandwidth ➠ encryption on messages or packets Slide 18
10 Network Components link: connection between components, including wireless ➠ point-to-point (modem), multiple access (Ethernet) router, switch: forward packets node: router (= intermediate system), host (= end system) clients: access resources and services servers: provide resources and services (may also be client) dumb terminal: no local processing Slide 19 Network Access and Interconnection regional network NAP NAP company point-of-presence firewall (POP) R 56kb/s national - 2Mb/s network R R R T3 Ethernet local modem telephone concentrator company regional network phone lines+ node PC phone telephone modem company switch Slide 20
11 Destinations � interconnect local networks (links) of different technology � router: 1. get packet from source link, strip link layer header 2. find outgoing interface based on destination network address 3. find next link-layer address 4. wrap in link layer header and send Slide 21 Internet Names and Addresses example organization 8:0:20:72:93:18 MAC address flat, permanent 132.151.1.35 IP address topological (mostly) www.ietf.org Host name hierarchical User name clinton@whitehouse.gov multiple DNS ; man y � to � man y ARP ; 1 � to � 1 ! ! host name IP address MAC address addresses can be forged ➠ check source Slide 22
12 Tempest � every device is a radio transmitter � e.g., TV scanning � Europe: find unlicensed TV receivers � control zone Slide 23 Threats for a Corporate/Campus Network � unauthorized access to hosts (clients, servers) � disclosure & modification of network data � denial-of-service attacks Slide 24
13 Threats for the Internet/ISP � propagate false routing entries (“black holes”, www.citibank.com � ! www.mybank.az ) � domain name hijacking � link flooding � configuration changes (SNMP) � packet intercept Slide 25 Application-Layer Threats � only limited ability of network intervention possible � shoulder-surfing � rogue applications emailing out confidential files � viruses, mail bombs, email attachments, ... Slide 26
14 General Strategies � hardening the OS and applications � encrypting sensitive data � reduce size of target � ! disable unneeded services � limit access of attacker to target systems Slide 27 Network Infrastructure network infrastructure enterprise Internet network border edge interior Slide 28
15 Trust Model � perimeter defense: defines trust zone � most attacks are from the inside � traveling users: virtual private networks – danger! � “extranets” for vendors, suppliers, ... � internal hosts may not be managed or under control of network operator � defense in depth Slide 29 Firewalls � computer between internal (“intranet”) and external network � = policy-based packet filtering � watch single point rather than every PC � limit in/out services, restrict incoming packets � can’t prevent people walking out with disks packet filter: restrict IP addresses ( address filtering ), ports connection filter: only allow packets belonging to authorized (TCP) connections encrypted tunnel: tunnel = layer same layer inside itself ➠ virtual network: connect intranets across Internet NA(P)T: network address (and port) translator are not firewalls, but can prevent all incoming connections Slide 30
16 Network Address Translation alice.example.com 10.0.0.2/2345 −> 216.32.74.51/80 (10.0.0.2) 128.59.16.1/5678 −> 216.32.74.51/80 216.32.74.51/80 −> 10.0.0.2/2345 port addr/port www.yahoo.com 5678 10.0.0.1/2345 (216.32.74.51) NAT 128.59.16.1/5678 <− 216.32.74.51/80 10.0.0.1 128.59.16.1 bob.example.com (10.0.0.3) Slide 31 Application Gateway gateway global intranet net firewall firewall F2 F1 Ethernet DMZ � firewall F x : only to/from gateway � may only allow email, file transfer � hard to restrict large file transfers Slide 32
Recommend
More recommend
